antiforgerytoken

问题 I am trying to implement AntiForgeryToken for my MVC3 Application. I am having a problem with AntiForgeryToken after setting FormAuthentication cookie. Here is a simple example which explains my problem. I have home controller with following action methods: public class HomeController : Controller { public ActionResult Logon() { return View(); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult Logon(string userName, string password) { FormsAuthentication.SetAuthCookie(userName, false

问题 The steps: The login page is opened in two different tabs. User A logs from Tab 1 (No issues) Without refreshing the tab 2, user B tries to log in. Redirects to 400 page. (Exception: Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user.) Any solution to handle this? 回答1: I agree with @matt-shepherd that this is the correct behavior of the anti-forgery token validation. Tab B is in an

问题 I am developing an httphandler to process some requests in Web Forms (NOT in MVC). How could I implement Anti Cross Site Scripting (like antiforgery in MVC)? I want to know mre about the antiforgery mechanism in MVC. 回答1: If you can access the Page, you can use the ViewStateUserKey property of the Page. Here is an example of how to do this from within the page, but you will get the idea: protected void Page_Init(object sender, EventArgs e) { // Validate whether ViewState contains the MAC

问题 What's the best way to deal with Antiforgery on methods with ValidateAntiForgeryTokenAttribute attribute while calling from a non-browser client, say WinForm ? Based on what I know, below is how anti forgery works: A hidden input field is added to the page, e.g. A cookie with the same name is also sent to the client On the next request, both the cookie and the hidden input field is sent to server. Server calls AntiForgery.Validate(token, cookie) to confirm that the request is legit. All works

问题 I have an MVC2 application. I am trying to implement AntiForgeryToken helper to prevent CSRF attacks. I am implementing this using Steve Sanderson's blog: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/ When I implement this in a NEW MVC2 project it works. But the same code when I put it in my REAL application, it ALWAYS throws this exception: A required anti-forgery token was not supplied or was invalid. Here is my

问题 When a user is Logged in, and goes to Login Page while so. If he tries to login again you get Anti forgery Error. The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. Another type of error I get is: The provided anti-forgery token was meant for a

问题 I'm using IdentityServer4 with ASP.NET Core 2.2. On the Post Login method I have applied the ValidateAntiForgeryToken. Generally after 20 minutes to 2 hours of sitting on the login page and then attempting to login it produces a blank page. If you look at Postman Console you get a 400 Bad Request message. I then set the Cookie Expiration on the AntiForgery options to 90 days. I was able to allow the page to sit for up to 6 hours and still login. However, after around 8 hours (overnight), I

问题 I have an HTMl app, which uses Web API and AngularJS. We are planing to implement AntiForgery token in the App. I have an Index.cshtml page in which I have added these code @using System.Web.Helpers @functions{ public string GetAntiForgeryToken() { string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken; } } And added an input tag like this: <input id="antiForgeryToken" data-ng-model="antiForgeryToken" type="hidden" data

问题 Trying to turn on anti forgery in core mvc project but with no luck. What was done: Filter added to automatically check anti forgery token on every POST request. services.AddMvc(o => { o.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()); }); Token generation was added to each page this way. @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Antiforgery; @{ var antiforgeryRequestToken = Antiforgery.GetAndStoreTokens(Context).RequestToken; } ... ... <script> var antiforgeryToken =

问题 When we have more than one possible form to post to the controller on the same cshtml page, the Antiforgery validation does not work. We went through the MVC3 code and we found the problem is in this part of the code: if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) { // error: form token does not match cookie token throw CreateValidationException(); } The cshtml that we have is something like this: @using (@Ajax.BeginForm()) { @Html.AntiForgeryToken() <input